Security Risks in Protecting an Organization’s Assets

Check out more papers on Information Security Risk Assessment Risk
The protection of an organisation’s assets must be based on understanding security risks - the only way an effective security solution / services can be found and implemented is by carrying out a comprehensive security risk assessment and security audit, 'discuss'. In this paper, the importance of security risk assessments and security audits to an organization wishing to select the most cost-effective security solution (and security supplier[1]) to protect its assets will be discussed. Prior to engaging with the assumptions which are embedded within the statement at the top of this paper, it is first important to define what is meant by ‘security risks’. A succinct definition of the concept has been provided by Landoll (2006, p36), an eminent author in this field of industry, who writes: “Security risks are a measurement of the likelihood that [an]... organization’s assets are susceptible.” If we accept this definition as the starting point of our discussion, we can immediately assert that, if an organization chooses to employ a proactive[2] security system to protect its assets, then it must necessarily perform an assessment of the security risks to which those assets are vulnerable- if it did not, then it would be unable to select the most cost-effective solution to protect those assets because, simply stated, it would not know what risks it needed to protect itself from. Of course, if an organisation chooses only to employ a reactive security system, i.e. one which is designed to protect assets against security breaches which have occurred previously[3], then a security risk assessment is not necessary- the security risks will be identified from actual breaches which have occurred, and a solution selected on the basis of damage assessment and appropriate safeguard design. We can therefore conclude that, while the protection of an organisation’s assets from new forms of security breaches must be based on understanding security risks, the protection of an organisation’s assets from security breaches which have already occurred in the past requires no real understanding of security risks- the security risk is identified from an actual breach rather than from a risk assessment or security audit. In this regard, the first assumption provided by the statement at the top of this paper, namely that ‘the protection of an organisation’s assets must be based on understanding security risks’, must be considered, at least partially, inaccurate. In order to understand the impact of this inaccuracy, it is important to address the following question: Under what circumstances is it appropriate for an organisation to employ only a reactive security system to protect its assets? While it will not be possible within the limited scope of this paper to provide a comprehensive answer to this question, two important observations can be made:
  1. A (solely) reactive model is not appropriate for an organisation whose environment is constantly changing, such as a web-based organisation- the security threats that such organisations are likely to face will evolve, and a purely reactive model would not be able to prevent effectively future breaches.
  2. While a reactive ‘incident response’ model may be appropriate for an organization whose environment is simple[4], static and unchanging, that organisation will only be able to reach the conclusion that a reactive model is appropriate either (i) through exercising such a model and discovering that the security risks faced by the organisation are few and non-evolving; or, (ii) by performing a security risk assessment and discovering that the security risks faced by the organisation are few and non-evolving. No prudent security system architect would ever promote the former of these routes, unless the assets owned by the organisation have such little value that it is not cost-effective to perform a comprehensive security audit[5].
Accepting that the assumption of the statement at the top of this paper is not accurate for organizations with low-value assets, existing within a static, non-evolving environment, let us now turn to consider the second assertion provided by the statement at the top of this paper; namely, that ‘the only way an effective security solution / service can be found and implemented is by carrying out a comprehensive security risk assessment and security audit’. The only contentious element of this assertion, and semi-contentious at that, is that the carrying out of a comprehensive security risk assessment and security audit is the only way to find an effective security solution. After all, no authors have ever argued against the usefulness of security risk assessments; in fact, quite the contrary: “Assessments are the key tools for uncovering security issues that may have been well hidden before. Often, an assessment leads to a compelling event that increases internal awareness of your organization’s security shortcomings — it may uncover a prior, but undiscovered, breach; or a penetration test may “create” such an event by highlighting vulnerabilities. In addition, assessments can also help create budget resources for security enhancement — besides identifying problems, an assessment report can provide justification for making the investment necessary to solve the problems.[6]” The question is whether or not it is possible to select a proactive security solution without first conducting an assessment and audit. It seems clear that it is not: As we have argued earlier, without a comprehensive assessment and audit it will not be possible to identify and quantify each security vulnerability, and as such it will not be possible to create a bespoke and comprehensive security solution. We must therefore conclude that the statement at the top of this paper is wholly accurate in regard to proactive security systems, while only partially accurate in regard to reactive security systems. In the last part of this paper, let us turn to examine how this statement could be improved to render it a more useful piece of guidance. One important point is that, in an evolving organisational environment, in order to ensure that the most effective security solution is maintained, regular security risk assessments and security audits must be conducted. The reason for this is self-explanatory: As the environment changes so too do the potential security risks. It is possible for a previously effective security solution, based upon a comprehensive assessment and audit, to become out-dated. Additionally, an assessment and an audit will not be useful unless the resultant solutions are actually implemented. As Axt (2003, p98) notes: “In the author's experience, more than one manager has nodded in agreement to proposed solutions without having any intention of adopting the suggested measures.” One final point which should be noted is the importance of employing independent auditors to conduct the security risk assessments and security audits. As Goldman and Orton (2001, p2) note: “Only independent and impartial tests can validate corporate security efforts, ensure that all potential security problems have been examined and exposed and provide the service’s clients with objective proof that sufficient due diligence has been exercised in securing their data...Companies need external expertise to audit their sites... Bringing somebody in from the outside creates a greater initiative to find a problem. Having your internal people, who set up the security system, does not only create a questionable initiative for them to find things that are wrong but it might simply be hard for them to do." In conclusion, the author of this paper would argue that the statement at the top of this paper might be more accurately and more usefully presented as follows: “The protection of an organisation’s valuable assets ought to be based on understanding security risks - the best way an effective security solution can be found and implemented is by instructing a firm of independent security analysts to carry out regular comprehensive security risk assessments and security audits, and to ensure that their proposed security solutions are implemented by senior management.” References and Bibliography: Landoll, D., 2006. The Security Risk Assessment Handbook: A Complete Guide for Performing Security Risk Assessments. Auerbach Publications, Taylor & Francis Group: New York. IBM, 2007. Acquire a global view of your organization’s security state: the importance of security assessments. Security Solutions White Paper. Available on-line at https://www-935.ibm.com/services/us/iss/pdf/assess_white_paper.pdf Last accessed: 05/10/08, 13:45. Goldman, N. and Orton, E., (2001). The Critical Role of Independent Security Audits. Pp1-11. ADDSecure.net Inc. Available for download from https://www.addsecure.net/audit.rtf. Tippett, P, and O’Neill, D., 2001. Managing Information Security Risk. ABA Banking Journal, Vol. 93, 2001. Bedard, J., Graham, L. and Jackson, C., 2005. Information systems risk and audit planning. International Journal of Auditing 9 (2): 147-163. Axt, D., 2003. From Recommendations to Results: From Walk-Through to Implementation, a Well-Planned Security Assessment Can Ease the Way for a Successful Security Upgrade. Security Management, Vol. 47, March 2003. White, D., 1995. Application of Systems Thinking to Risk Management: a review of the literature. Management Decision, Vol. 33, No. 10, 1995, pp. 35-45. Edinburgh: MCB University Press Ltd.

Footnotes

[1] The selection of a suitable supplier can be as difficult as the selection of an appropriate security solution: Not all suppliers will have the necessary expertise or the products in place to meet a proposed solution. [2] One which seeks to protect an organisation’s assets from potential security breaches, i.e. breaches which have not yet occurred but which are likely. [3] For example, the incident response model. For a brief summary of this model, see Microsoft (2004, fig. 2.1) available on-line at https://technet.microsoft.com/en-us/library/cc163152.aspx. Last accessed 04/10/08, 15:00 [4] It is unlikely that a reactive model would be appropriate for a complex organisation. As Tippett and O’Neill (2001, p74) write: “Increasing complexity = increasing vulnerability. The more complex a system gets, the more vulnerable it becomes to attack. Vulnerability increases exponentially as complexity increases.” [5] It should be remembered that security audits can be rather costly (e.g. two American researchers discovered that: “The price of a truly comprehensive technical audit might start from US$40,000 to $85,000 and require extensive time and resources to run and implement consultants' recommendations.” Goldman and Orton (2001, p6)), and it is for this reason that a small organization with few valuable assets might decide to avoid an audit and simply operate a reactive model. [6] IBM, (2007, p4)
Did you like this example?

Cite this page

Security risks in protecting an organization's assets. (2017, Jun 26). Retrieved October 13, 2024 , from
https://studydriver.com/security-risks-in-protecting-an-organizations-assets/

Save time with Studydriver!

Get in touch with our top writers for a non-plagiarized essays written to satisfy your needs

Get custom essay

Stuck on ideas? Struggling with a concept?

A professional writer will make a clear, mistake-free paper for you!

Get help with your assignment
Leave your email and we will send a sample to you.
Stop wasting your time searching for samples!
You can find a skilled professional who can write any paper for you.
Get unique paper

Hi!
I'm Amy :)

I can help you save hours on your homework. Let's start by finding a writer.

Find Writer